Configure firewalls in Red Hat

Chamber VMs run Red Hat Enterprise Linux as the operating system. By default, the firewall is configured to deny all inbound connections except to managed services. To allow inbound communication, rules must be added to the firewall to allow traffic to pass. Similarly, if a rule is no longer needed, it should be removed.

This article presents the most common firewall configuration commands. For full documentation or more complex scenarios, see Chapter 40. Using and configuring firewalld of the Red Hat Enterprise Linux 8 documentation.

All the operations referenced here require sudo privileges and thus need the Chamber Admin role.

Important

VMs can only communicate with other VMs in the same chamber. Chamber-to-chamber traffic is never permitted and modifying firewall rules won't enable inter-chamber traffic.

Prerequisites

  • A user account with the Chamber Admin role.

List all open ports

List all currently open ports and associated protocol.

$ sudo firewall-cmd --list-all
public (active)
 target: default
 icmp-block-inversion: no
 interfaces: eth0
 sources: 
 services: cockpit dhcpv6-client ssh
 ports: 6817-6819/tcp 60001-63000/tcp
 protocols: 
 forward: no
 masquerade: no
 forward-ports: 
 source-ports: 
 icmp-blocks: 
 rich rules: 

Open ports for traffic

You can open a single or consecutive range of ports for network traffic. Changes to firewall-d are temporary and don't persist if the service is restarted or reloaded unless committed.

Open a single port

Open a single port with firewalld for a given protocol using the --add-port=portnumber/porttype option. This example opens port 5510/TCP.

$ sudo firewall-cmd --add-port=33500/tcp
success

Commit the rule to the permanent set:

$ sudo firewall-cmd --runtime-to-permanent
success

Open a range of ports

Open a range of ports with firewalld for a specified protocol with the --add-port=startport-endport/porttype option. This command is useful in distributed computing scenarios where workers are dispatched to a large number of nodes and multiple workers might be on the same physical node. This example opens 100 consecutive ports starting at port 5000 with the UDP protocol.

$ sudo firewall-cmd --add-port=5000-5099/udp
success

Commit the rule to the permanent set:

$ sudo firewall-cmd --runtime-to-permanent
success

Remove port rules

If rules are no longer needed, they can be removed with the same notation as adding and using the --remove-port=portnumber/porttype. This example removes a single port:

$ sudo firewall-cmd --remove-port=33500/tcp
success

Commit the rule to the permanent set:

$ sudo firewall-cmd --runtime-to-permanent
success